Epione: Lightweight Contact Tracing with Strong Privacy Ni Trieu1, Kareem Shehata, Prateek Saxena2, Reza Shokri2, and Dawn Song1;3 1UC Berkeley, 2National University of Singapore, 3Oasis Labs Abstract Contact tracing is an essential tool in containing infectious diseases such as COVID-19. Many countries and research groups have launched or announced mobile apps to facilitate contact tracing by recording contacts between users with some privacy considerations. Most of the focus has been on using random tokens, which are exchanged during encounters and stored locally on users’ phones. Prior systems allow users to search over released tokens in order to learn if they have recently been in the proximity of a user that has since been diagnosed with the disease. However, prior approaches do not provide end-to-end privacy in the collection and querying of tokens. In particular, these approaches are vulnerable to either linkage attacks by users using token metadata, linkage attacks by the server, or false reporting by users. In this work, we introduce Epione, a lightweight system for contact tracing with strong privacy protections. Epione alerts users directly if any of their contacts have been diagnosed with the disease, protects the privacy of users’ contacts from both central services and users, and provides protection against false reporting. As a key building block, we present a new cryptographic tool for secure two-party private set intersection cardinality (PSI-CA), which allows two parties, each holding a set of items, to learn the intersection size of their sets without revealing the intersection items. We specifically tailor it to the case of large-scale contact tracing where clients have small input sets and the server’s database of tokens is much larger. 1 Introduction Contact tracing is an important method to curtail the spread of infectious diseases. The goal of contact tracing is to identify individuals that might have come into contact with a person that has been diagnosed with the disease, so they can be isolated and tested. In the ongoing COVID-19 pandemic, contact tracing has been facilitated by mobile apps that detect nearby mobile phones using Bluetooth, and several countries / organizations have developed such apps. Such large-scale collection of personal contact information is a significant concern for privacy [1, 2, 3]. The main purpose of contact tracing applications—recording the fact that two or more individuals were near each other at a certain moment of time—seems to be at odds with their privacy. The app must record information about the individual’s personal contacts and should be able to reveal this information (possibly, on demand) to some authorities. Multiple ways have been proposed to protect user contact data, offering different privacy guarantees and coming at different implementation costs. For instance, in the recently released BlueTrace protocol used by the Copyright 2020 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE. Bulletin of the IEEE Computer Society Technical Committee on Data Engineering 95 Singapore Government [5], users are guaranteed privacy from each other, but this model places complete trust in certain operating entities for protecting user information. We consider a model where governments (or operators) do not store any such sensitive user information. Not only are such databases lucrative targets for cyber-attackers, in many jurisdictions the collection of such information may raise public concerns or even conflict with privacy regulations. This is important not just for user privacy, but also because contact tracing is expected to be effective only when participation is high (e.g. 60% or more of the population [4]). Thus the overall success of the app could be limited if users are reluctant to use a contact tracing app due to privacy concerns. In our model, the health authorities maintain a database of tokens corresponding to users which have been diagnosed with the disease. The tracing app periodically checks an untrusted server to determine if the user is potentially at risk. This is done in such a way that the server cannot deduce any information about the user which is not implied by the desired functionality. The users also learn no information beyond whether they may have been exposed to the disease. Our model can also be contrasted to several other decentralized mobile contact tracing system/protocols, which we analyze in the full version of the paper [7]. As we see through our analysis, existing proposals or launched systems are vulnerable to one or more of the following privacy attacks: (1) Infection status / exposure source by users: If tokens of users diagnosed positive are publicly released, Alice can determine which publicly-posted tokens match the log on her phone. This could reveal the time, for example, when Alice and the user diagnosed positive with the disease (Bob) were in close proximity, enabling her to identify Bob. Such identification is undesirable as people have been reported to harass individuals suspected to be the source of exposure to the disease [8], leading to the so-called “vigilante” problem. (2) Infection status by server: If the server can determine which users have been diagnosed with the disease, this leaks the infection status of users to the server operator. This may not be a concern in jurisdictions where the server is operated by the health authority which already knows this information. However, in jurisdictions where the server is operated by another party that does not or should not have this information, this form of linkage can be a serious privacy threat. (3) Social graph exposure and user tracking: If a central database is used to collect both sent and received tokens as in [9], or it is possible to infer the source of a sent token as in the case of [10], then the operator of this server is able to deduce all of the social connections of a user that is reported positive for the disease, including when and for how long each contact was made. This co-location information can also exacerbate the risk of users’ location tracking [4, 3]. (4) False-positive claims by users: A user may claim to have been diagnosed with the disease when in reality, they are not. This would spread false information and panic other users, and reduce trust in the system. Table 2 provides a brief comparison of different contact tracing systems with respect to security/privacy properties, required computational infrastructure and client’s communication cost, all of which are important for a wide-scale real-world contact tracing. Details of the systems compared is discussed in the full version [7]. Our Contributions. In this work, we introduce Epione, a new system for decentralized contact tracing with stronger privacy protections than the existing systems. As a key primitive enabling Epione, we introduce a new private set intersection cardinality or PSI-CA, which is used to check how many tokens held by a user (client) match the tokens in a set stored on a server, without the user revealing their tokens. More formally, PSI-CA allows two parties, each holding a private set of tokens, to learn the size of the intersection between their sets without revealing any additional information. Our PSI-CA primitive is designed to be efficient for a large 96 System Req. Privacy Protection Against Client System Trusted # Infection Status Social False-positive Comm. Server By User By Server Graph User Cost TraceTogether [5] Yes 1 Yes No No Yes O(n) Baseline* 1 No No Most Some O(N) Private Messaging [2]No 3 No Yes Yes No Epione 2 Yes Yes Yes Yes O(n log(N)) Table 2: Comparison of contact tracing systems with respect to security, privacy, required computational infrastructure, and client communication cost. Baseline systems include Private Kit[13], Covid-watch [9], CEN [14], DP-3 [15], and PACT’s baseline system [12]. Some of these systems provide a limited level of false-positive claim protection with an additional server (or healthcare provider), and most provide protection from social graph discovery. N is the total number of contact tokens from users diagnosed positive with the disease, n is the number of contact tokens recorded by an average user that need to be checked for disease N exposure (Note that n is typically the number of new positive diagnoses per day, thus n << N). server-side database and a small client-side database, as is the case for contact tracing applications. Our new PSI-CA construction allows us to meet our privacy goals. With several other optimizations in our system design, we show that PSI-CA can make privacy-preserving contact tracing practical. 1.1 System Overview Figure 1 shows an overview of the Epione system. Users of Epione want to be notified if any of the people they have been in contact with are later diagnosed with the disease. They do not want to reveal to other users their identity, reveal whether they have been diagnosed positive, be tracked over time, or reveal their contacts to any other organization. We use a short-range network (such as Bluetooth) to detect when two users are within close range and exchange a randomly generated “contact token”. All of the sent and received contact tokens are stored securely on the user’s phone in the “sent token list” and “received token list”, respectively. The received token list never leaves the user’s phone in a form that can be used by anyone else, and the sent token list is only revealed to a healthcare provider on a positive diagnosis and with the user’s consent.